Re: ICMP outoging traffic at centos 6.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 06/01/2016 15:56, Shital Sakhare wrote:

Yes, now I am dropping packets in OUTPUT chain for type 3. Initially, I
implemented the chain to drop type 0 and 8. But it wont worked and the
packets were hitting at firewall for multiple ICMP requests. I didn't
Understand the problem. After posting here I go through all the types of
ICMP types where I understand to drop packets for "Host unreachability" .
Thanks for your help Mr. Gordon 🙏.

On Wed, Jan 6, 2016 at 8:47 PM, Gordon Messmer <gordon.messmer@xxxxxxxxx>
wrote:


On 01/06/2016 05:47 AM, Shital Sakhare wrote:


Thanks, Dropped the ICMP type 3 port. Now question to find the cause.



Well, based on your tcpdump output, it looks like your rules were
rejecting unrelated packets, or tcp/443 packets.  It's hard to be sure
since the ICMP was the first packet, so you didn't show the packet it was
actually replying to.

The ICMP traffic is a result of rejecting rather than dropping that
traffic.  That is, I think you're looking at the problem wrong.  The ICMP
traffic is simply the result of a choice you made.  Are you dropping type 3
in the output chain?
I assume you also have rules in the INPUT chain, and one of them reads something like this: 

-A INPUT -j REJECT --reject-with icmp-host-prohibited
When traffic matches this rule your server will respond with an ICMP request. it sounds like you now have added a rule blocking your server from sending these responses. You should investigate what is matching the INPUT rule as it could be malicious activity that should be blocked further upstream from you (e.g. at the perimeter firewall) and if you wish to stop your server sending these responses you should change the rule to DROP instead of REJECT. 

Tris




*************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@xxxxxxxx
The views expressed within this email are those of the individual, and not necessarily those of the organisation 
*************************************************************
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux